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LIST SIGNATURE METHOD AND APPLICATION TO ELECTRONIC VOTING. 



The present invention relates to the general field of secmity of services 
5 accessible through a digital data transmission network, and more specifically to the 
field of electronic signature. 

It notably, but not exclusively, applies to electronic voting or even to electronic 
petition. 

The electronic signature of a message implements a mechanism pertaining to 

10 so-called asymmetric cryptography: the signatory, who has a secrete or private key 
and an associated public key, may produce a message signature by means of the 
secrete key. To verify the signature, it is sufficient to have the public key. 

In certain applications like electronic voting, the signatory should be able to 
remain anonymous. For this purpose, the so-called anonymous electronic signature 

15 has been developed enabling with the help of a public key to determine whether the 
signatory of a message has certain rights (rights to sign the message, rights to have the 
secrete key used for signing the message, etc.) while preserving the anonymity of the 
signatory. In addition, in voting or electronic petition applications, each authorized 
person should be able to sign only once. 

20 Among anonymous signatures, there is also what is called the blind signature 

allowing a person to obtain a signature of a message firom another entity, without the 
latter having to know the contents of the message, and being able to establish later the 
link between the signature and the identity of the signatory. This blind signature 
solution therefore requires the intervention of an intermediate entity who produces the 

25 signatures. In applications such as voting and electronic petition, each solution 
involves an empowered authority who signs the vote of each voter or the petition for 
each petitioner. 

The concept of a group signature has also been proposed which enables each 
member of a group to produce a signature so that a verifier having an adequate public 
30 key may verify whether the signature was issued by a member of the group without 
being able to determine the identity of the signatory. 

This concept is described for example in document: 

[1] "A Practical and Provably Secure Coalition-Resistant Group Signature 
Scheme", of G. Ateniese, J. Camenisch, M. Joye and G. Tsudik, in M. Bellare, Editor, 
35 Advance in Cryptology - CRYPTO 2000, vol. 1880 of LNCS, pp. 255-270, Springer- 
Veriag 2000. 

However, in this concept, a reliable authority may at any moment break this 
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anonymity and determine the identity of a person of the group having issued a 
signature. In addition, this type of signature is said to be "non linkable", i.e. it does not 
allow one to determine whether two signatures were or not issued by the same person, 
without breaking the anonymity of the signature. Group signatures are used in many 
5 applications, such as electronic auctions, electronic cash, or even electronic voting. 
Group signature is utterly unsuitable for the latter application as it authorizes a 
reliable authority to access the identity of a signatory, and it does not allow the linking 
of two signatures issued by a same person without determining the identity of the 
signatory. In addition, document [1] does not provide any process for revoking a 

1 0 member of the group. 

To remedy the latter drawback, document [2] "Efficient Revocation of 
Anonymous Group membership Certificates and Anonymous Credentials" of J. 
Camenisch and A. Lysysanskaya, published by Cryptologie ePrint Archive lACR, 
2002, provides the adding of a revocation process to this concept (this document will 

15 also be published by M. Jung, Editor CRYPTO 2002, Springer- Verlag 2002). 
However, this solution does not provide a solution to the problems of preserving the 
anonymity of the signatory, and "linkability" of two signatures. 

In an electronic voting application, it is further necessary to ensure security 
approaching traditional voting at the very most, in order to guarantee the following 

20 properties. 

Nobody should be capable of knowing the results of the poll even partially 
before its closing. Everybody should be able to be persuaded of the validity of the 
final result of the poll. Finally, an empowered authority should be able to withdraw or 
revoke the voting right of a person. 

25 Whether one is dealing with off-line voting, i.e. with the use of an electronic 

voting machine, set up in a polling station or in on-line-voting, i.e., remotely, via the 
Intemet network for example, the presently proposed systems, using a group signature 
as described in document [1] and completed in document [2], do not meet these 
conditions, except for revoking the right of signature. 

30 Moreover, application of the blind signature concept to electronic voting is a 

solution for which implementation is awkward, as the voter is compelled to logon 
several times at each election. In addition, if the poll backfu-es, the person responsible 
for this cannot be determined: either a voter or the organizer of the poll. 

The concept of mixer networks has also been proposed, notably in document 

35 [3] "Untraceable Electronic Mail Return Addresses and Digital Pseudonym" of D. 
Chaxmi, ACM 1981, each mixer being a function producing a list of nimibers 
decrypted from a list of encrypted numbers, while concealing the match between the 



3 



encrypted and decrypted nvimbers. Applied to electronic voting, this technique has the 
major drawback of not allowing the validity of a vote to be verified without 
compromising the secret thereof. 

In document [4] "A secure and Optimal Efficient Multi-Authority Election 
5 Scheme", of Cramer, Gennaro, and Schoenmakers, Eurocrypt*97, LNCS - Springer- 
Verlag, so-called homomorphic encryption is described enabling basic calculations to 
be performed on encrypted numbers. Solutions based on this method however are not 
applicable to polls involving a large number of voters. 

The object of the present invention is to get rid of this drawback. This goal is 
10 achieved by providing a list signature method comprising at least: 

an organizing phase consisting, for a reliable authority, of defming parameters 
for implementing an anonymous electronic signature, including a private key and a 
corresponding public key, 

a phase of registering persons in a list of members authorized to generate an 
15 electronic signature specific to the members of the list, during which each person to 
be recorded calculates a private key with the help of the parameters provided by the 
reliable authority and of parameters randomly selected by the person to be registered, 
and the reliable authority delivers a list membership certificate to each person to be 
registered, 

20 a signing phase during which a member of the list generates and issues a 

signature specific to the members of the list, this signature being built in order to 
contain proof that the member of the list having issued the signature, has a list 
membership certificate, and 

a phase of verifying the issued signature comprising steps for applying a 

25 predefined algorithm in order to show the proof that the signature was issued by a 
person having a list membership certificate. 

According to the invention, this method further comprises: 
a phase of defining a series consisting, for a reliable authority, of generating a 
serial number to be used in the signature phase, a signature generated during the 

30 signature phase comprising a signature element which is common to all the signatures 
issued by a same member of the list with a same serial number and which contains 
proof that the serial number was used for generating the signature, the verifying phase 
further comprising a step of verifying the proof that the serial nxmiber was used for 
generating the signature; 

35 a phase of revoking a member of the list in order to remove a member fi"om the 

list, during which the reliable authority removes the member to be removed from the 
list and updates the parameters for implementing the anonymous electronic signature. 
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in order to take into account the removal of the member from the list; and 

a phase of updating the certificates of the members of the list in order to take 
into account changes in the composition of the list. 

According to one embodiment of the invention, the organizing phase comprises 
5 definition of a common parameter depending on the composition of the list, the phase 
of registering a person in the list, comprising the definition of a paraineter specific to 
the person to be registered which is calculated according to the parameter depending 
on the composition of the list, and which is integrated into the certificate handed out 
to the person, the registering phase comprising a step of updating the common 
10 parameter depending on the composition of the list, a phase of revoking a member of 
the list comprising a step of changing the common parameter depending on the 
composition of the list, in order to take into accovmt the removal of the member from 
the list, and the phase of updating certificates of the members of the list including a 
step of updating the parameter specific to each member of the list in order to take into 
1 5 account changes in the composition of the list. 

According to an embodiment of the invention, a signature specific to a member 
of the list and having the certificate [Ai, ej] comprises parameters Ti, T2, T3, such that: 
Ti=Aib''(modn), 
T2 = g^(modn), 
20 T3 = geih"*(modn), 

where oo is a randomly selected number during the signature phase, and b, g, h, and n 
are general parameters for implementing the group signature, such that parameters b, 
g and h cannot be inferred from each other by integer power raising modulo n 
fimctions, so that the number Ai and therefore the identity of the member of the list 
25 having the certificate [Aj, ej] cannot be inferred from a signature issued by the 
member. 

Preferably, the number of a series used for generating a list signature is 
calculated according to a beginning date of the series. 

Advantageously, the fimction for calculating the number of a series is in the 

30 form: 

F(d) = (H(d))^ (mod n) 
where H is a collision-resistant hash ftmction, d is the beginning date of the series, and 
n is a general parameter for implementing the group signature. 

According to an embodiment of the invention, the parameter T4 of a signature 
35 issued by a member of the list and depending on the serial number m and on the 
private key Xj of the signatory member is obtained from the following formula: 
T4 = m^i (mod n) 
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n being a general parameter for implementing the group signature and the signature 
comprising the proof that the parameter T4 was calculated with the private key xi of 
the member of the list who issued the signature. 

The invention also relates to an electronic voting method comprising a phase 
5 for organizing the elections, during which an organizing authority proceeds with 
generating parameters required for a poll, and assigns keys to the scmtineers, allowing 
them to decrypt and verify ballots, a phase of assigning a signature right to each of the 
voters, a voting phase during which the voters sign a ballot, and a counting phase 
during which the scrutineers verify the ballots and calculate the result of the poll 
10 according to the contents of the decrypted and valid ballots. 

According to the invention, this method implements a list signature method as 
defined hereinbefore, for signing ballots, each voter being registered as a member of a 
list, and a serial nvimber being generated for the poll, in order to detect whether a same 
voter has issued several ballots for the poll or not. 
15 According to one embodiment of the invention, the organizing phase comprises 

the handing out of a public key and a private key to each scmtineer, the ballots being 
encrypted with a public key obtained by the product of the respective public keys of 
all the scmtineers, and the corresponding decryption private key being obtained by 
calculating the sxmi of the respective private keys of all the scrutineers. 
20 Advantageously, encryption of the ballots is carried out with a probabilistic 

encryption algorithm. 

According to one embodiment of the invention, the ballots issued by the voters 
are stored in a public database, the result of the verifying and counting of each ballot 
being stored in the database associated with the ballot, and the private key for 
25 decrypting the ballots being published. 

A preferred embodiment of the invention will be described hereafter, as a non- 
limiting example, with reference to the appended drawings wherein: 

Fig. 1 illustrates a system for implementing the list signature and 
electronic voting methods according to the invention; 
30 Figs. 2-8 illustrate as flow diagrams, the various procedures which are 

executed in accordance with the list signature and electronic voting 
method according to the invention. 
The present invention proposes a list signature method wherein all the 
authorized persons, i.e. belonging to the list, may produce a signature which is 
35 anonymous, and anybody is able to verify the validity of the signature without having 
access to the identity of the member of the list who signed. 

Such a method may be implemented in the system illustrated in Fig. 1. This 
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system comprises temiinals 2 made available to the users and comiected to a digital 
data transmission network 5 such as the Intemet network. Advantageously, each 
terminal 2 is connected to a chip card 7 reader 8. Via the network 5, users may log on 
to a server 6 giving access to information for example stored in a database 4. This 
5 system also comprises a computer 1 of a reliable authority who notably delivers chip 
cards 7 to the users. 

The list signature method according to the invention repeats in the group 
signature method described in the referenced document [1], the following procedure: 

a procedure for organizing a group of signatories, which consists of setting up 
1 0 various parameters and required public keys, 

a registration procedure wherein a person to be registered in the group receives 
from a reliable authority a right of signature, i.e. an authorized private key and 
certificate, 

an actual signing procedure during which a person having a signature right 
1 5 signs a message, and 

a verifying procedure consisting of applying a verification algorithm to a 
signature in order to verify whether the signature was produced by a person having a 
signature right. 

The invention further provides an arrangement for guaranteeing the anonymity 
20 of a signatory, even with respect to a reliable authority, as well as a series organizing 
procedure consisting of defining a serial number to be used for generating list 
signatures, the verification of a signature further comprising a step of verifying 
whether the signature is unique for a given serial nimiber. 

The method according to the invention may also include a revocation 
25 procedure as defined in referenced docviment [2]. With this revocation procedure, a 
reliable authority may remove from a member of the list, the signature rights which 
were assigned to him/her earlier, from the identity of the member. The setting up of 
this revocation possibility involves execution by the members of the list of an 
updating procedure during which the members of the list update their certificates in 
30 order to take into accoimt the changes (addition or removals) made in the list of the 
persons authorized to sign. 

Fig. 2 illustrates the different steps of the organizing procedure 10 executed on 
the computer 1 of the reliable authority. 

According to the referenced document [1], this procedure consists of selecting 
35 11 the following integers: 
s>l,k,lp, 

^2, Yi, which are the lengths of the integers in numbers of bits, with: 
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>^2>41p (1) 
Xi > e{X2 + k) + 2 (2) 
y2>>ti+2 (3) 
Yi > e(y2 + k) + 2 (4) 
5 and of defining the sets of following integers: 
A = ]2^i . 2^^ + 2^% and 
r = ]2^^.2^2^ 2^> + 2% 
This procedure also consists of selecting a collision-resistant hash function H 
such that a binary sequence of any length marked as {0, 1}* is transformed into a 
1 0 binary sequence of length k marked as {0, 1 } 

Next, the computer 1 of the reliable authority randomly generates in step 12, 
prime numbers p' and q' with size Ip, such that p = 2p' -i- 1 and q = 2q' -h 1 and q = 2q' + 

1, are also prime numbers. Next, it computes in step 13 module 
n = pq and randomly generates in step 14, integers a, ao, b, g and h, in the set QR(n) of 

15 quadratic residues of n, i.e. the set of integers y such that 
y = x^ (mod n), x being an integer. It is then considered that the public key PK of the 
reliable authority consists of the series of integers (n, a, ao, b, g, h) and that the private 
key of the latter consists of the series of integers (p\ q'). 

In order to be registered by the reliable authority, a user wishing to become a 

20 member of the list executes the procedure 20 illustrated in Fig. 3, on his/her terminal 

2. Execution of this procedure engages a dialog with the computer 1 of the reliable 
authority which then executes a procedure 20'. Procedure 20 first of all comprises a 
step 21 for randomly generating integers Xj et r , respectively intervals ]0, 2^^[ and 

]0, n^[. From these integers, an integer Ci is calculated 22 such that: 
25 q = g^ihr(modn) (5) 

In step 23, the proof of the knowledge of both numbers a and p (i.e. xj et r ) is 
built such that C, = g^h^ (mod n). 

Such a proof is formed for example by randomly selecting two integers ri and 
r2 in the set of signed binary nimibers with s(21p + k) bits, marked as 
30 ±{0, iy^^h^^\ and by calculating the following numbers: 

di = g'ih^2^modn> (6) 

c = //(g||h||Ci||d,X (7) 
wherein the || symbol represents the concatenation operator, 

Si = r, - ca, (8) 
35 S2 = r2 - cp. (9) 

S\ and S2 beLug relative integers. 

The proof U is then equal to (c, Si, S2, Ci). 
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The number Ci and the proof U are then sent to the reliable authority who in 
step 21', verifies proof U and whether Ci is in the QR(n) set of quadratic residues of n. 
In the previous example, verification of the proof consists of calculating: 
ti = Cfg^h^(modn) , and (10) 

c'=//(g||h||C,||tO. (11) 
The proof is established if c' = c and if Si and sa belong to the set 

If such is the case, the computer 1 of the reliable authority, randomly generates 
in step in 22' two integers aj, Pi in the interval ]0, 2^^[, and sends these nvunbers to the 
terminal 2 of the user. In procedure 20, the terminal of the user then calculates in step 
24 the integers xj and C2 by applying the following formulae: 

Xi = 2^'+(aiXi+pi(mod2^)), and (12) 

C2 = a'''(modn) . (13) 

Next, the following proofs are built in step 25 (for example according to the 
same principle as proof U): 

the proof V of having a number a belonging to set A such that: 

C2 = a"(modn) (14) 
the proof W of having three nimibers p, y, 6, such that p e ]- 2^^, 2^% and 

C2/a^2 = and (15) 

Crg^'=gV")V (16) 

C2 and proofs V and W are then sent to the computer 1 of the reliable authority 
who verifies 23* the proofs V and W and whether C2 belongs to set QR(n). If such is 
the case, it randomly generates 24' a prime nimiber ej, belonging to set T and applies 
the following formula: 

l/e 

Ai=(C2ao) *(modn) (17) 

and sends back to the user, integers Ai and e,, considered as a certificate [Ai, ej] for the 
user's membership of the list. 

Computer 1 then generates 2& a new entry in a table of members of the list, for 
example in the database 4, in which is stored the certificate [Ai, Cj] for changes in the 
list (for example revocations of members), and preferably for messages exchanged 
between the reliable authority and the user, during this procedure for registering the 
user. 

Moreover, the user may verify 26 the authenticity of the received certificate by 
verifying that the following equation is satisfied: 
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a *ao = Ai'(modn) (18) 

At the end of this registration procedure 20, the user therefore has a private key 
Xi and a certificate [Aj, Ci] of membership of the Hst, which for example are stored in a 
chip card 7. 

5 With such a certificate, the user may generate a signature of a message M 

belonging to set {0, 1}*. 

For this purpose, the reliable authority publishes according to the invention, a 
serial number m, randomly selected in set QR(n). This nimiber will have to be used by 
the members of the list for signing a message during a given series. The respective 
10 numbers of different series must not be linkable. In particular, it should be impossible 
to calculate a discrete logarithm of a given serial number, relatively to the base of 
another serial number, i.e. it should not be possible to practically calculate integers x 
and y, such as: 

m'' = m'^(mod n), m and m' being serial numbers. 
15 This serial number m may be calculated according to the date of the begirming 

of the series: m = F(date). For example this function F is chosen to be equal to: 
F(d) = (/r(d))'(modn) (19) 
where H\ a collision-resistant hash function, such as a binary sequence of any 
length marked as {0, 1}*, is transformed into a binary sequence with length 21p 
20 marked as {0, 1}^'p. It is therefore easy to verify the validity of the serial number by 
applying formula (19). 

The procedure for signing a message is designed so that a user may show that 
he/she has a member certificate and a member private key and that he/she uses the 
proper serial number. 

25 To sign a message M, a member of the list must execute, for example on 

his/her chip card 7, connected to a terminal 2 and storing his/her certificate 
[Ai, Ci] and his/her private key Xi, a signature procedure 30 illustrated in Fig. 4. This 
procedure first of all comprises a step 31 for randomly generating a number co 
belonging to the set {0, 1}^'p. 

30 It further comprises a step 32 consisting of calculating the following numbers 

from©: 

Ti = Aib'' (mod n), (20) 
T2 = g^(modn), (21) 
T3 = g^ih"(modn). (22) 

35 According to the invention, the following number is also calculated: 

T4 = m^i(modn) (23) 
In the next step 33, numbers ri in the set of signed binary numbers with 8(y2+k) 
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bits, marked as ±{0, l}^(T2+k)^ ^ ^^q^ lje(^2+k)^ ^ 

±{0, i}«(ri+2ip+k+i)^ ^ ^^Q^ 1 je(2ip+k) randomly generated. Then in step 

34, the following quantities are calculated: 

d,=T/V(aV^)(niodn) (24) 
5 d2 = T2'Vg'3^modn) (25) 

d3=g''*(modn) (26) 
d4 = g''h''*(modn) (27) 
According to the invention the following number is also calculated: 
d5=m'2^modn) (28) 
10 Then, in step 35 the following numbers are calculated: 

c = i/(m||b||g||h||ao||a||T,|tT2||T3||T4||di||d2||d3||d4||d5||M), (29) 
wherein || represents the concatenation operation, 

51 - r, - c(ei - 2\ (30) 

52 = r2 - c(xi - 2^'), (31) 
15 S3=r3-cei(o, (32) 

S4 = r2 - c©, (33) 
Si, S2, S3, S4 being relative integers. 

The signature finally consists of the set of following nimibers: 

(c, si, S2, S3, S4, T,, T2, T3, T4). (34) 
20 which for example is issued by the network 5. 

Verification of a signature of a message M takes place by executing the 
procedure 40 illustrated in Fig. 5. This procedure first of all comprises in step 41, the 
calculation of the following numbers: 



Y, 



ti=aoTi' /(ZL b^)(modn) (35) 

25 t2 =T2'"^^ ' /g''(modn) (36) 

t3=T2V'(modn) (37) 

t4 = T3V'~*'^ h'''(modn) (38) 

According to the invention, it also comprises the calculation of the following 
numbers: 

s,-c2*'' 

30 t5=T4m^ (modn) (39) 

C = ^(mi|b||g||h||ao||a||T,||T2||T3||T4||t,||t2||t3||t4||t5||M) (40) 
The signature is authentic if the following conditions are met in step 42: 
C = c (41) 
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s, €±{0, l}^^^2-k).\ (42) 

S2e±{0, 1}^(^2^*^)^\ (43) 

S3€±{0, l}^^^^"'*p"'"')^\ (44) 

S4€±{0, 1}^<'^P^^>^^ (45) 



5 If these conditions are not met, the signature is not valid (step 45). 

In addition, by accessing all the signatures which have been produced during a 
given sequence, for example in the database 4, in step 43 it may easily be verified 
with parameter T4 whether a member of the list has signed several times: all the 
signatures issued by a member of the list comprise a parameter T4 with the same value 
10 for a given serial nvmiber. 

It should further be noted that a member cannot cheat by using another value as 
T4 is strongly linked to Ti. Indeed, the formula for calculating Ti may also be written 
as follows: 

Tf ' = aoa^ib'^^'(modn) (46) 

15 If T4 is already in the set of signatures issued for a given serial number, it is 

inferred from this that the signattire was already issued by a member of the list for this 

serial number (step 46). 

In order to include a possibility for revoking a member of the list, the method 

which has just been described may be changed in the following way. 
20 The procedure for organizing 10 the list further comprises in step 14, the 

random selection of a number u belonging to set QT(n), and the definition of two sets 

Eadd and Edei which are empty initially. 

The public key PK of the reliable authority then consists of the sequence of 

integers (n, a, a©, b, g, h, u) and of sets Eadd and Edd. 
25 During the registration procedure 20, 20', the computer 1 of the reliable 

authority assigns in step 25', the Ui parameter to the new member Ui of the list, this 

parameter being such that Uj = u, and updates the value of the u parameter by 

replacing this value with u^'. 

The certificate of the new member then groups together integers Aj, Cj and Uj, 
30 this certificate being stored in step 26' for future changes and transmitted to the new 
member. 

The reliable authority also introduces the number Cj assigned to the new 
member in the set Eadd- 

Upon receiving his/her certificate, the new member further verifies whether: 
35 Ui^=u(modn) (47) 

The other members Uj of the list must then execute an updating procedure in 
order to take into account the arrival of a new member and therefore the change in the 
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list parameter u. This procedure consists of recalculating their Uj parameter as follows: 
Uj = u/>(modn) (48) 
In this way, relationship (47) is always met for all the pairs (uj, ej) of all the 
members of the list. 

5 The procedure for revoking a member Uk of the list whose certificate is (Ak, Cr, 

Uk) for the reliable authority consists of changing the u parameter as follows: 

u = u^^'^ (modn) (49) 
and of introducing parameter Ck into set Edei- 

In addition, each unrevoked member Uj of the list should take into account this 
10 revocation (change in the parameter u) by recalculating his/her Uj parameter as 
follows: 

^j = UjV(modn) (50) 
a and b being such that acj + bck = 1 . 

In order to determine a and b, it is sufficient to apply the extended Euclid 
1 5 algorithm consisting of carrying out a series of Euclidian divisions. 

It should be noted that the revoked member (having Ck) cannot determine a and 
b with formula (50) which becomes ek(aH-b) = 1, and so recalculate the Uk parameter. 

During the signing procedure 30 by a member of the list, in step 31, mmibers 
Wi, W2 and W3, with a binary length equal to 21p, i.e. belonging to the set {0, 1}^'p 
20 must fiirther be selected randomly, and the following numbers must be calculated in 
step 32: 

T5 = g^^h'^>(modn) (51) 
T6 = Uih'^'(modn) (52) 
T7 = g^^h^^(modn) (53) 
25 Numbers rs, r^, r-j belonging to the set ±{0, i}^(2ip+k)^ numbers rg and r9 

belonging to the set ±{0, i}^(Yi^2ip+k+i)^ ^^^^ ^1^^ selected randomly and then the 
following numbers must be calculated in step 34: 

d6 = g'^h^'(modn) (54) 
d7 = g'%^^(modn) (55) 
30 d6 = T6''/h^«(modn) (56) 

ci9 = T/V(g^«h^9) (mod n) (57) 
Number c then includes the following elements: 
c = //(m||b||g||h||ao|la||Ti||T2||T3||T4||T5l|T6||^ (58) 
In step 35, the following needs to be calculated: 
35 S5 = rs - cw, (59) 

S6 = r6 - CW2 (60) 
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$7 = - CW3 

58 = rg - ceiW2 

59 = 19 - cCiWa 



(61) 
(62) 
(63) 



The signature then consists of the set of following numbers: 

(c, si, S2, S3, S4, S5, 86, S7, S8, 89, Ti, T2, T3, T4,T5, Te, T7). 



(64) 



The procedure 40 for verifying a signature then further comprises the 
calculation of the following numbers in step 41: 



The signature is authentic if the following addition conditions are met in step 



It should be noted that unlike the group signature described in document [1], it 
is not possible for the reliable authority to find out the identity of a signatory, i.e. 
number Ai of the signatory certificate from a list signature as described. Indeed, unlike 
the method described in this docxmient, the reliable authority does not xise a private 
key X for generating the b parameter, and therefore number Aj cannot be inferred from 
Ti and T2. 

In addition, the signature generated by a revoked member Uk will be detected 
as invalid. Indeed, parameter T6 involves parameter Uk, which was determined from 
the common parameter u, and parameter tg which is calculated in order to verify the 
signature, also involves parameter u which was changed as a result of the revocation 
of member k. As a result, upon verifying the signature, parameters and tg are 
inconsistent, and therefore the equality between c and c* cannot be verified by the 
signature of member k. 

The list signature method which has just been described may be applied to an 
electronic voting method. The electronic voting method according to the invention 
comprises several phases, including the execution of the procedures of the list 



c' 




42: 



S5G±{0, 1}^^^*P"*^^"', 

S6e±{0, 1}^('V*^>^\ 

S7e±{0, 1}^<2'P"^>^\ 

S8e±{0, l}^^^l■^2'p■*■^^^>^^and 

S9e±{0, l}^^^'^2'p^'^^*>^^ 



(70) 
(71) 
(72) 
(73) 
(74) 



14 



signature method described hereinbefore. 

This method involves an intervention from the reliable authority 1 organizing 
the elections, who executes for this purpose a procedure 50 for organizing the poll. 
This procedure consists of generating the data required for the proper course of the 
5 election, a public database accessible to all in which the ballots are collected. During 
the organizing of the poll, scmtineers who will count the votes and determine the 
result of the election are also appointed. 

The reliable authority first of all proceeds with generating various parameters 
required for setting up a list signature, by executing the procedure 10 for organizing 
10 signing of the list. The voters should be registered beforehand in an election list for 
example in a town hall, and in order to receive all the data required for generating a 
list signature, i.e. a private key Xi, and a certificate (Aj, Cj, Uj). With these parameters, 
the voters may participate in all future elections. This registration procedure may be 
executed between a chip card 7 and a terminal 2, for example, the chip card storing 
15 the certificate of the voter at the end of the procedure. 

Before an election, the organizing authority proceeds with updating the election 
list by executing procedure 20, 20', for the newly registered voters, and by removing 
(revoking) list signature rights to all persons crossed out from the election registers 
(for example persons who have left the district or are deprived of their civil rights). 
20 These revocations are performed by executing the revocation procedure described 
herein before. In step 51 of procedure 50, the organizing authority also publishes a 
serial number required for setting up a new list signature series, in order to prevent 
voters from voting (signing) twice in this election. 

Moreover, the scrutineers will create 52 the required pairs of public/private 
25 keys, so that they may all cooperate in order to be able to decrypt an encrypted 
message with the public key. For this purpose, the cryptographic system set up is 
selected in order to allow a voter to encrypt a message (ballot) with at least one public 
key, while imposing cooperation of all the scrutineers to use the corresponding private 
key(s) and thus decrypt the message. 
30 The sharing of the decryption private key among all the scrutineers may be 

carried out in the following way. 

Let us consider g, a generator of the cyclic group G. A respective private key Xj 
is assigned to each scmtineer i who calculates the number yj belonging to G such that: 
yi = g''^ (75) 
35 The public key Y to be used by the voters is obtained by the following formula: 

Y = nyi (76) 

i 

and the corresponding private key X shared by all the scrutineers i is the following: 



15 



X = S>^i (77) 

i 

It is possible to obtain a similar result by proceeding with encryption by using 
all the respective public keys of the scrutineers. Decryption requires knowing all the 
corresponding private keys. 

Before going to vote, each voter should update his/her list signature certificate 
according to the change procedure described hereinbefore, by means of the parameters 
published earlier. If the voter has not been struck off the election list, this change may 
be made. 

While the polling stations are open, each voter issues a ballot by executing a 
procedure 60 on a terminal. In step 61, the voter selects his/her vote Vj and encrypts 
the latter by means of the public key of the scrutineers in order to obtain en encrypted 
vote Di. He/she then signs the encrypted vote by means of the list signature method in 
order to obtain a signature Sj. The ballot consisting of the set (Di, Si) of the vote and 
signature is then anonymously published in a public database 4. 

In step 62, encryption of the vote is achieved by using a probabilistic 
encryption algorithm (i.e. the probability that two encryptions of a same message are 
identical is quasi zero), such as the El Gamal or Paillier algorithm for example. If the 
El Gamal algorithm appUes, encryption is carried out by calculating the following 
numbers: 

aj^VjVetbj^g' (78) 
where r is a random element. The encrypted vote vj then consists of the pair Dj = (aj, 
bj). The voter Ej then calculates 63 the list signature of the encrypted vote Sj = 
Sigiist(ajllbj), Sigiist being the Ust signature as described hereinbefore, by executing the 
procedure 30 with his/her chip card 7, which is transmitted to the teraiinal 2. 

The voter Ej has just generated his/her ballot (Dj, Sj) which is sent 64 to the 
public database 4 by means of an anonymous transmission channel, i.e. forbidding a 
linkage fi-om a transmitted message to the issuer of the latter. The voter for this 
purpose may use a public terminal or a network of mixers. 

At the end of the poll, the scrutineers carry out the coxmting of the votes by 
executing procedure 70 on the terminal 3. This procedure first of all consists of 
generating 71 the decryption private key X fi*om their respective private keys Xj and 
with the help of formula (77). Then, in step 72, they access the public database 4 of 
the ballots in order to obtain the ballots (Dj, Si) and to decrypt them. The actual 
decryption of the ballots consists of verifying 74 the signature Sj for each issued ballot 
(step 73), by executing the procedure 40 for list signature verification as described 
hereinbefore, and if the signature is valid and unique (step 75), of decrypting 76 the 
encrypted vote Dj by applying the following formula: 
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Vj = aj/bj^ (79) 
The thereby decrypted and verified votes Vj with the result of the corresponding 
verification are introduced 77 into the database 4 of the ballots, in association with the 
ballot (Dj, Sj). 

5 The decryption private key X is also published so that all may verify the 

counting of the ballots. 

Once all the ballots have been counted, this procedure 70 calculates the result 
of the election in step 78 and updates the public database of the ballots by writing this 
result therein and optionally the decryption private key X. 

10 It is easy to ascertain that the properties stated hereinbefore required for setting 

up an electronic vote system, are checked by the method described above. Indeed, 
every voter can only vote once, as it is easy to find in the database two signatures 
issued by a same voter for a same poll (for a same serial nvmiber). In this case, the 
scrutineer may not take into accoxmt both votes or only count one vote if they are 

15 identical. 

Altematively, in step 64 for inserting a vote in the database 4, verification may 
be provided as to whether the vote issued by the voter does not already exist in the 
database by searching therein for the parameter T4 specific to the voter. If it is thereby 
detected that the voter has already voted for this poll, the new vote is not inserted into 

20 the database 4. 

Subsequently, it is not possible to begin counting the ballots before the end of 
the poll if at least one of the scmtineers observes the rule, as the presence of all the 
scrutineers is required for counting a ballot. Finally, the result of the election may be 
verified by all as the scmtineers provide all the required elements (in particular the 

25 counting private key) in the database in order to proceed with such a verification, and 
that the verification of a signature is accessible to all by using the public key PK = (n, 
a, ao, b, g, h, u) of the reliable authority. Hence, anybody may perform the counting in 
the same way as the scmtineers and therefore make sure that it was performed 
properly. 

30 The keys of the scmtineers are of course obsolete at the end of the poll, as they 

are published. 



